The reasons behind the presence of mag stripe on cards alongside chip (and PIN) has long been a debate at Consult Hyperion. Especially for the US where things were different for years – of course now the US has introduced chip and PIN as well.

But putting
numbers and signatures on cards helps criminals. There’s no need for it.

A couple of years later, in “Tired: Banks that store money. Wired: Banks that store identity” we asked why banks didn’t put a token in Apple Pay that didn’t disclose the name or personal information of the holder, a “stealth card” that could be used to buy adult services online using the new Safari in-browser Apple Pay experience. This would be a simple win-win: good for the merchants as it would remove CNP fraud and good for the customers as it would prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give the customer a blank card to go shopping with.

Brazil Nuts

Some years ago, we were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.

You might call
these cards pseudo-clones. They acted like clones in that they worked correctly
in the terminals, but they were not real clones. They didn’t have the right
keys inside them. Naturally, if you made one of these pseudo-clones, you didn’t
want to be bothered with PIN management so you made it into a “yes card” –
instead of programming the chip to check that the correct PIN is entered, you
programmed it to respond “yes” to whatever PIN is entered. We used these
pseudo-clone cards in a number of shops in Guildford as part of our testing
processes to make sure that issuers were checking the cryptograms properly. Not
once did any of the Guildford shopkeepers bat an eyelid about us putting these
strange blank white cards into their terminals. Of course it’s worth noting
things have progressed and fortunately this wouldn’t work now as the schemes
have moved on from SDA.

I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this, he made a similar white plastic pseudo-clone card and went into a shop to try it out.

When he put
the completely white card into the terminal, the Brazilian shopkeeper stopped
him and asked him what he was doing and what this completely blank white card
was, clearly suspecting some misbehaviour.

The guy,
thinking quickly, told him that it was one of the new Apple credit cards!

“Cool” said the shopkeeper, “How can I get one?”.

Titanium Dreams

That Brazil
story was written back
in 2014! There was no white Apple credit card at that time but it
was interesting that the shopkeeper expected an Apple credit card to be all
white and with no personal data on display, just as we had suggested in our
ancient ruminations on card security. Imagine the total lack of surprise when
the internet tubes delivered the news of the new actual Apple credit card
launched in California a couple of weeks ago. Apple CEO Tim Cook said that
the new Apple Card would be the biggest card innovation “in 50 years” [FT].
This seems a little rough on the magnetic stripe, online authorisation,
chip and PIN, debit cards, contactless interfaces and so on, but it is
certainly an interesting development for people like us at Consult
Hyperion.

The story
gathered the usual media interest. A number of reports on the web reporting on
“Apple going into banking” which, obviously, they are not. Far from it. The
Apple Card issuer is Goldman Sachs (it’s their first credit card product) and
the card product is wholly unremarkable. The card looks pretty cool though, no
doubt about that. I still don’t know why they put the cardholder name on the
front (instead of their Apple ID).

Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.

The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.

Now You See It

While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!

I can’t help
feeling that there’s a bit of misdirection going on with Apple Card. The press
are reporting about the card product, but it’s really not that earth
shattering. It seems to me that what is really important in the
announcement isn’t extending Goldman Sachs’ consumer credit business or that
bribe to persuade apparently reluctant consumers to use Apple Pay at
contactless terminals instead of swiping their card, but the attempt to get
people to use Apple Cash. Cognisant of how Starbucks makes out by persuading
citizens to exchange their US dollars that are good anywhere into Starbucks
Dollars that are not, and of Facebook’s likely launch of some kind of Facebook
Money, Apple are hoping to kick-start an Apple Cash ecosystem.

You may have
noticed that as of now, you can no longer fund person-to-person Apple
payments (in Messages) using
a credit card. You can still fund your Apple Cash via a debit card.
You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via
ACH to a bank account for free. They want to reduce the costs of getting volume
into Apple Cash and make it possible for you to get it out with jumping through
hoops. Given that you can do this, you’ll be more relaxed about holding an
Apple Cash balance and that means that next time you go to buy a game or a song
or whatever, Apple can knock it off of your Apple Cash balance rather than
feeding transactions through the card rails.

And why not?
In this ecosystem Apple would carry the float, which might well run into
millions of dollars (Starbucks’ float is over a billion dollars), and if it
could persuade consumers to fund app, music and movie purchases from Apple Cash
instead of cards it would not only save money, but anchor an ecosystem that
could become valuable to third-party providers as well. With Facebook’s
electronic money play on the horizon, I think Apple are making a play not for a
new kind of card to compete with my Amex Platinum and my John Lewis MasterCard
but for a new kind of money to compete with BezosBucks, ZuckDollas an Google
Groats.

Thought Leaders

We help our clients bridge the gap between business and technology by providing practical, impartial advice at all stages in a project life cycle from the conceptual phase through to completion. We help organisations evaluate, prototype and design new business concepts, develop new products and services and test and certify complex systems using advanced techniques and fully-automated robotic test management.